Up until now, we've been passing or blocking inbound traffic. To clarify, inbound
traffic is all traffic that enters the firewall on any interface. Conversely, outbound
traffic is all traffic that leaves on any interface (whether locally generated or simply
passing through). This means that all packets coming in are not only filtered as they
enter the firewall, they're also filtered as they exit. Thusfar there's been an implied pass
out all that may or may not be desirable.[[dagger]] Just as you may pass and block
incoming traffic, you may do the same with outgoing traffic.
Now that we know there's a way to filter outbound packets just like inbound, it's up to
us to find a concievable use for such a thing. One possible use of this idea is to keep
spoofed packets from exiting your own network. Instead of passing any traffic out the
router, you could instead limit permitted traffic to packets originating at 126.96.36.199/24.
You might do it like this: [[footnote: [[dagger]] This can, of course, be changed by using
-DIPFILTER_DEFAULT_BLOCK when compiling ipfilter on your system. ]]
pass out quick on tun0 from 188.8.131.52/24 to any
block out quick on tun0 from any to any
If a packet comes from 184.108.40.206/32, it gets sent out by the first rule. If a packet comes from 220.127.116.11/32 it gets blocked by the second.
You can also make similar rules for the unroutable addresses. If some machine tries to
route a packet through IPF with a destination in 192.168.0.0/16, why not drop it? The
worst that can happen is that you'll spare yourself some bandwidth:
block out quick on tun0 from any to 192.168.0.0/16
block out quick on tun0 from any to 172.16.0.0/12
block out quick on tun0 from any to 10.0.0.0/8
In the narrowest viewpoint, this doesn't enhance your security. It enhances everybody else's security, and that's a nice thing to do. As another viewpoint, one might suppose that because nobody can send spoofed packets from your site, that your site has less value as a relay for crackers, and as such is less of a target.
You'll likely find a number of uses for blocking outbound packets. One thing to always
keep in mind is that in and out directions are in reference to your firewall, never any